DSL router / firewall problem

DSL router / firewall problem

Post by Antony Gelber » Fri, 31 May 2002 10:19:05



Hi all,

I have an ADSL router that I wish to connect to my LAN via a RedHat7.3 box
set up with ipchains (not iptables, I wish to re-work some old config
files).  I am trying to get it working before I start with the ipchains
rules.  There are some issues, hope someone can help me out...  I am ultra
stressed here!

The LAN has about 10 hosts, all on 192.168.1.0.  The firewall box has two
NICs, eth1 is internal and is 192.168.1.1.  eth0 is to the ADSL and is
10.0.0.3.
The router is a 1 port Conexant (Dabs) model.  The LAN address is set up as
10.0.0.2.  It seems to set up the PPPoATM connection quite happily (after a
struggle - what a poor manual!) - I can tell when I access it direct from a
PC that is directly connected to it via a crossover cable.  Ifconfig looks
good, no errored packets.

However, when I connect the router to eth0 on the firewall box, the fun and
games (don't) begin.  The symptoms are:
o From firewall box, can ping any host on LAN.  Can ping 10.0.0.2 (ADSL
router).  Cannot ping the gateway listed in the router's routing table - no
response from that address at all.
o LAN hosts can ping both NICs of the firewall PC, but cannot ping the ADSL
router.  I can ping the router from the firewall itself.

This is incredibly annoying, problems pinging the router - before I even get
outside the building!  :-)  And the router is administered from a web
browser, which I don't have on the firewall, ouch...

I have done an echo 1 > /proc/sys/net/ipv4/ip_forward, so that ain't the
problem.  I have obviously thought about this - could it be to do with the
fact that my two networks are both private address ranges?  Does the Linux
box (or IP itself) not forward between private address ranges?  And if not,
how do I get around the problem?  Surely I need different subnets on each
NIC?

I know it's not the norm, but can I plead that any replies to this post be

will be back on the customer site tomorrow, and I'm banging my head against
a wall here!

I can give more detail if needed, and I think it will be...  :-)

Thanks,

Antony

 
 
 

1. Problem DSL Router <-> Firewall Router <-> Clients

Hello,

I would like to setup the following network configuration.

DSL Router <-> Firewall Router <-> Clients

I use static IPs, DHCP is disabled everywhere.

DSL Router
----------
- IP: 192.168.1.2
- does all NAT stuff, integrated DNS Server
- Route for network 192.168.0.0 set to 192.168.1.1

Firewall Router
---------------
- Linux machine with iptables firewall
- NIC connected with DSL Router: 192.168.1.1
- NIC connected with Clients   : 192.168.0.20

Clients
-------
All in 192.168.0.0 network
Default Gateway: 192.168.0.20
DNS entry: 192.168.1.2 and other

I can't establish a connection, for instance for http. Currently the
firewall has no rules which drop packets, so this should not cause the
error:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

I logged traffic with tcpdump at eth0 and eth1 in the firewall router.
Perhaps somebody can find out the problem. Traffic was logged while trying
to access an url www.spiegel.de.

eth0:
21:56:13.217316 192.168.1.2.53 > 192.168.0.2.1026: 2702 4/0/0 CNAME[|domain]
21:56:13.225296 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:17.225336 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.205192 arp who-has 192.168.0.2 tell 192.168.0.20
21:56:19.225350 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.355293 arp reply 192.168.0.2 is-at <mac>
21:56:21.355341 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:22.245295 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:27.245343 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:35.245363 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:38.245367 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)

eth1:
21:55:18.658322 192.168.1.2.53 > 192.168.0.2.1026: 63104 4/0/0
CNAME[|domain]
21:55:24.585228 arp who-has 192.168.1.2 tell 192.168.1.1
21:55:24.585590 arp reply 192.168.1.2 is-at <mac>

Do I have a mtu problem? I integrated this line for iptables:
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
No success.

I also tried to vary the mtu of the firewall NICs 1500 / 1472 / 1432: no
success.

What else could be the reason?

Thomas

2. problem running MUSBUS benchmark

3. Linux DSL router box/firewall problem

4. dtstyle backdrop/dtwm slow w. xpm with many colors

5. Firewall on DSL/router LAN?

6. diskless router

7. help to setup ftp server behind dsl router and firewall

8. Redirecting to Nowhere

9. iptables firewall between dsl router and intranet

10. Cisco 768 DSL Router/Linux Firewall Configuration

11. Linux firewall behind Cisco DSL Router

12. Need advice - firewall with DSL router

13. DSL software router with firewalling and virtual private networking with your SEGA Dreamcast.